This topic describes how to troubleshoot access exceptions on websites that are protected by Web Application Firewall (WAF).
Troubleshooting process
- Check whether the origin server is faulty: Bypass WAF and check whether the origin server responds to access requests as expected.
- Check whether WAF blocks valid access requests: Disable protection modules and check whether WAF blocks access requests.
- Check whether the exception is a common exception: Analyze and troubleshoot the exception based on the instructions described in the common access exceptions table.
For information about the tools that are used during troubleshooting, see Appendix: Common tools.
Check whether the origin server is faulty
- Disable the security groups, blacklists, whitelists, firewalls, SafeDog, and Yunsuo on the origin server to prevent back-to-origin IP addresses of WAF from being blocked.
- Modify the hosts file in your computer to resolve the domain name to the public IP address of the origin server. The origin server is an Elastic Compute Service (ECS) instance, a Server Load Balancer (SLB) instance, or on-premises server.
- Use a browser of your computer to access the domain name of the origin server and
check whether the same exception occurs.
- If you cannot access the origin server, the origin server is faulty. We recommend that you check the working status of the origin server, including processes, CPU utilization, memory, and web logs, and fix the exception.
- If you can access the origin server, the exception is not due to the origin server. Check whether the exception occurs because WAF blocks the access requests. For more information, see Check whether WAF blocks valid access requests.
Check whether WAF blocks valid access requests
- Disable Protection Rules Engine for the domain name of the origin server and check whether the exception persists.
For more information, see Configure the protection rules engine feature.
If you can access the website after you disable this Protection Rules Engine, we recommend that you set the Protection Rule Group parameter to Loose rule group in the section. By default, Medium rule group is selected. Alternatively, you can analyze the URL of the origin server by using the Log Service for WAF feature. Then, add a custom protection policy to WAF to allow all access requests to the URL. For more information, see Create a custom protection policy.
- If the exception persists after you disable Protection Rules Engine, disable HTTP Flood Protection for the domain name of the origin server. For more information, see Configure HTTP flood protection.
If you can access the website after you disable HTTP Flood Protection, we recommend that you set the Mode parameter to Prevention in the HTTP Flood Protection section. If the Mode parameter is already set to Prevention, skip this step. Alternatively, you can analyze the URL of the origin server by using the Log Service for WAF feature. Then, add a custom protection policy to WAF to allow all access requests to the URL. For more information, see Create a custom protection policy.
If the exception persists after you disable HTTP Flood Protection, this exception is not due to the protection modules of WAF. For more information, see Check whether the exception is a common exception.
Check whether the exception is a common exception
If the exception disappears after you disable WAF and continues to occur after you enable WAF, troubleshoot the exception based on the instructions in the following table.
Issue | Description | Cause | Solution |
---|---|---|---|
Access unavailable (410 Gone error) | The 410 page prompting that the access is temporarily unavailable and the protocol and port are not added to WAF appears, or the HTTP status code 410 is returned. | The domain name of the website is not added to WAF or the port that the user uses to access the website is not specified to be used to receive and forward requests. For example, if the user uses port 443 to access the website and port 443 is not specified to be used to receive and forward requests, the 410 page appears. | Add the domain name of the website to WAF or specify the port in the WAF console. For more information, see Add a domain name. |
Access blocked (405 error) | The 405 page prompting that the access is blocked appears or the HTTP status code 405 is returned. | The access request is blocked by a custom protection policy or the Protection Rules Engine. |
|
Connection reset (302 error) | The system prompts that the connection is reset. The HTTP status code 302 is returned, and the Set-Cookie header is contained in the response. | Access from an IP address triggers HTTP flood protection. | disable HTTP Flood Protection for the domain name of the origin server. For more information, see Configure HTTP flood protection. If you can access the website after HTTP Flood Protection is disabled, the access requests are blocked by the HTTP flood protection rule. we recommend that you set the Mode parameter to Prevention in the HTTP Flood Protection section. If the Mode parameter is already set to Prevention, skip this step. Alternatively, you can analyze the URL of the origin server by using the Log Service for WAF feature. Then, add a custom protection policy to WAF to allow all access requests to the URL. For more information, see Create a custom protection policy. |
HTTPS access exceptions | After a client sends an HTTPS request, the certificate www.notexist.com is returned.
|
WAF requires the browser to support Server Name Indication (SNI). However, the browser of the client may not support SNI. | By default, macOS and iOS operating systems support SNI. For Windows and Android operating systems, make sure that the operating systems are compatible with SNI. For more information, see HTTPS access exceptions arising from SNI compatibility ("Certificate not trusted"). |
Blank screen (502 error) | When you access a website, a blank screen error occurs and the HTTP status code 502 is returned. | When the origin server experiences a packet loss or becomes unreachable, WAF returns the HTTP status code 502. |
|
Failure to ping a domain name | The domain name fails to be pinged. A text message is received. The message indicates that DDoS attacks occur in WAF, and blackhole filtering is triggered. | WAF cannot mitigate DDoS attacks. | Activate Anti-DDoS to mitigate DDoS attacks. For more information, see Comparison of Alibaba Cloud Anti-DDoS solutions. |
Unbalanced server load | Loads are unbalanced among multiple ECS instances in the backend. | WAF uses Layer 4 hash algorithms for IP addresses. If Anti-DDoS Pro or Anti-DDoS Premium is deployed together with WAF, or SLB uses Layer 4 forwarding, ECS instances may have unbalanced loads. | Configure WAF and ECS instances to directly use SLB to balance the loads. Use Layer 7 forwarding and enable cookie session persistence or load balancing. |
WeChat or Alipay callback failure | WeChat or Alipay callback fails. | The possible reason is that HTTP flood protection rules block high-frequency requests, or HTTPS callback is used but WeChat or Alipay does not support SNI. |
|
Appendix: Common tools
- Chrome DevTools: This tool is provided by Google Chrome and can be used to view the loading status of elements on pages. Press F12 to open the tool and go to the Network tab.
- ping: The ping test tool can be used to analyze and determine network faults. This
tool is available in Windows and Linux. In Windows, press Win+R and enter cmd to open
Command Prompt. Command:
ping domain name or IP address
. - traceroute for Linux and tracert for Windows: The link tracing tools can be used to
detect the hop where the packet loss occurs. In Windows, press Win+R and enter cmd to open Command Prompt. Command:
tracert -d domain name or IP address
. - nslookup: This tool can be used to detect whether domain name resolution works as
expected. In Windows, press Win+R and enter cmd to open Command Prompt. Command:
nslookup domain name
.